Skip to content

Commit

Permalink
AddressSanitizer: fix heap-use-after-free in downloadedDataTest() (px…
Browse files Browse the repository at this point in the history 
…scene#898)

We had to remove this test:

    void downloadedDataTest()
    {
      rtFileCache::instance()->clearCache();
      addDataToCache("http://fileserver/file.jpeg",getHeader(),getBodyData(),fixedData.length());
      rtFileDownloadRequest* request = new rtFileDownloadRequest("http://fileserver/file.jpeg",this);
      expectedStatusCode = 0;
      expectedCachePresence = true;
      expectedHttpCode = 200;
(1)   rtFileDownloader::instance()->downloadFile(request);
      char *data = new char [1000];
      size_t size = 0;
      memset (data, 0, 1000);
(2)   request->downloadedData(data, size);
      //since the data would have been consumed by callback
      EXPECT_TRUE (size == 0);
      delete[] data;
      sem_wait(testSem);
    }

Because it is not possible to invoke (2) after (1) has finished
('request' is being deleted in the end of downloadFile() method).

This is where it crashes:

==30599==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000075878 at pc 0x000000825a05 bp 0x7ffe924a7a60 sp 0x7ffe924a7a50
READ of size 8 at 0x614000075878 thread T0
    #0 0x825a04 in rtFileDownloadRequest::downloadedData(char*&, unsigned long&) pxCore/src/rtFileDownloader.cpp:265
    pxscene#1 0x6692e1 in rtFileDownloaderTest::downloadedDataTest() pxCore/tests/pxScene2d/test_imagecache.cpp:1020
    pxscene#2 0x64ddcb in rtFileDownloaderTest_checkCacheTests_Test::TestBody() pxCore/tests/pxScene2d/test_imagecache.cpp:1245
    pxscene#3 0x7ad316 in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) (pxCore/tests/pxScene2d/pxscene2dtests+0x7ad316)
    pxscene#4 0x7a09d6 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) pxCore/tests/pxScene2d/../../examples/pxScene2d/external/gtest/googletest/src/gtest.cc:2438
    pxscene#5 0x75d56b in testing::Test::Run() pxCore/tests/pxScene2d/../../examples/pxScene2d/external/gtest/googletest/src/gtest.cc:2474
    pxscene#6 0x75e857 in testing::TestInfo::Run() pxCore/tests/pxScene2d/../../examples/pxScene2d/external/gtest/googletest/src/gtest.cc:2656
    pxscene#7 0x75f3d0 in testing::TestCase::Run() pxCore/tests/pxScene2d/../../examples/pxScene2d/external/gtest/googletest/src/gtest.cc:2774
    pxscene#8 0x76ff6e in testing::internal::UnitTestImpl::RunAllTests() pxCore/tests/pxScene2d/../../examples/pxScene2d/external/gtest/googletest/src/gtest.cc:4649
    pxscene#9 0x7afd55 in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) pxCore/tests/pxScene2d/../../examples/pxScene2d/external/gtest/googletest/src/gtest.cc:2402
    pxscene#10 0x7a2b35 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) (pxCore/tests/pxScene2d/pxscene2dtests+0x7a2b35)
    pxscene#11 0x76d177 in testing::UnitTest::Run() pxCore/tests/pxScene2d/../../examples/pxScene2d/external/gtest/googletest/src/gtest.cc:4257
    pxscene#12 0x5299db in RUN_ALL_TESTS() (pxCore/tests/pxScene2d/pxscene2dtests+0x5299db)
    pxscene#13 0x5295c7 in main pxCore/tests/pxScene2d/pxscene2dtestsmain.cpp:101
    pxscene#14 0x7f3562c8d009 in __libc_start_main (/lib64/libc.so.6+0x21009)
    pxscene#15 0x5293c9 in _start (pxCore/tests/pxScene2d/pxscene2dtests+0x5293c9)

0x614000075878 is located 56 bytes inside of 448-byte region [0x614000075840,0x614000075a00)
freed by thread T0 here:
    #0 0x7f3568a5cfd0 in operator delete(void*) (/lib64/libasan.so.4+0xe0fd0)
    pxscene#1 0x827368 in rtFileDownloader::downloadFile(rtFileDownloadRequest*) pxCore/src/rtFileDownloader.cpp:630
    pxscene#2 0x669241 in rtFileDownloaderTest::downloadedDataTest() pxCore/tests/pxScene2d/test_imagecache.cpp:1016
    pxscene#3 0x64ddcb in rtFileDownloaderTest_checkCacheTests_Test::TestBody() pxCore/tests/pxScene2d/test_imagecache.cpp:1245
    pxscene#4 0x7ad316 in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) (pxCore/tests/pxScene2d/pxscene2dtests+0x7ad316)
    pxscene#5 0x7a09d6 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) pxCore/tests/pxScene2d/../../examples/pxScene2d/external/gtest/googletest/src/gtest.cc:2438
    pxscene#6 0x75d56b in testing::Test::Run() pxCore/tests/pxScene2d/../../examples/pxScene2d/external/gtest/googletest/src/gtest.cc:2474
    pxscene#7 0x75e857 in testing::TestInfo::Run() pxCore/tests/pxScene2d/../../examples/pxScene2d/external/gtest/googletest/src/gtest.cc:2656
    pxscene#8 0x75f3d0 in testing::TestCase::Run() pxCore/tests/pxScene2d/../../examples/pxScene2d/external/gtest/googletest/src/gtest.cc:2774
    pxscene#9 0x76ff6e in testing::internal::UnitTestImpl::RunAllTests() pxCore/tests/pxScene2d/../../examples/pxScene2d/external/gtest/googletest/src/gtest.cc:4649
    pxscene#10 0x7afd55 in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) pxCore/tests/pxScene2d/../../examples/pxScene2d/external/gtest/googletest/src/gtest.cc:2402
    pxscene#11 0x7a2b35 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) (pxCore/tests/pxScene2d/pxscene2dtests+0x7a2b35)
    pxscene#12 0x76d177 in testing::UnitTest::Run() pxCore/tests/pxScene2d/../../examples/pxScene2d/external/gtest/googletest/src/gtest.cc:4257
    pxscene#13 0x5299db in RUN_ALL_TESTS() (pxCore/tests/pxScene2d/pxscene2dtests+0x5299db)
    pxscene#14 0x5295c7 in main pxCore/tests/pxScene2d/pxscene2dtestsmain.cpp:101
    pxscene#15 0x7f3562c8d009 in __libc_start_main (/lib64/libc.so.6+0x21009)

previously allocated by thread T0 here:
    #0 0x7f3568a5c158 in operator new(unsigned long) (/lib64/libasan.so.4+0xe0158)
    pxscene#1 0x669124 in rtFileDownloaderTest::downloadedDataTest() pxCore/tests/pxScene2d/test_imagecache.cpp:1012
    pxscene#2 0x64ddcb in rtFileDownloaderTest_checkCacheTests_Test::TestBody() pxCore/tests/pxScene2d/test_imagecache.cpp:1245
    pxscene#3 0x7ad316 in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) (pxCore/tests/pxScene2d/pxscene2dtests+0x7ad316)
    pxscene#4 0x7a09d6 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) pxCore/tests/pxScene2d/../../examples/pxScene2d/external/gtest/googletest/src/gtest.cc:2438
    pxscene#5 0x75d56b in testing::Test::Run() pxCore/tests/pxScene2d/../../examples/pxScene2d/external/gtest/googletest/src/gtest.cc:2474
    pxscene#6 0x75e857 in testing::TestInfo::Run() pxCore/tests/pxScene2d/../../examples/pxScene2d/external/gtest/googletest/src/gtest.cc:2656
    pxscene#7 0x75f3d0 in testing::TestCase::Run() pxCore/tests/pxScene2d/../../examples/pxScene2d/external/gtest/googletest/src/gtest.cc:2774
    pxscene#8 0x76ff6e in testing::internal::UnitTestImpl::RunAllTests() pxCore/tests/pxScene2d/../../examples/pxScene2d/external/gtest/googletest/src/gtest.cc:4649
    pxscene#9 0x7afd55 in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) pxCore/tests/pxScene2d/../../examples/pxScene2d/external/gtest/googletest/src/gtest.cc:2402
    pxscene#10 0x7a2b35 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) (pxCore/tests/pxScene2d/pxscene2dtests+0x7a2b35)
    pxscene#11 0x76d177 in testing::UnitTest::Run() pxCore/tests/pxScene2d/../../examples/pxScene2d/external/gtest/googletest/src/gtest.cc:4257
    pxscene#12 0x5299db in RUN_ALL_TESTS() (pxCore/tests/pxScene2d/pxscene2dtests+0x5299db)
    pxscene#13 0x5295c7 in main pxCore/tests/pxScene2d/pxscene2dtestsmain.cpp:101
    pxscene#14 0x7f3562c8d009 in __libc_start_main (/lib64/libc.so.6+0x21009)

SUMMARY: AddressSanitizer: heap-use-after-free pxCore/src/rtFileDownloader.cpp:265 in rtFileDownloadRequest::downloadedData(char*&, unsigned long&)
Shadow bytes around the buggy address:
  0x0c2880006ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2880006ac0: fa fa fa fa fa fa fa fa fa fa fa fa ^[1mfa fa fa fa
  0x0c2880006ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2880006ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2880006af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2880006b00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd[fd]
  0x0c2880006b10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2880006b20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2880006b30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2880006b40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2880006b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30599==ABORTING
  • Loading branch information
@dwrobel
dwrobel authored and mfiess committed Mar 6, 2018
1 parent 5253726 commit e5551af
Showing 1 changed file with 0 additions and 20 deletions.
20 changes: 0 additions & 20 deletions tests/pxScene2d/test_imagecache.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1024,25 +1024,6 @@ class rtFileDownloaderTest : public testing::Test, public commonTestFns
EXPECT_TRUE (request->downloadHandleExpiresTime() == 3);
}

void downloadedDataTest()
{
rtFileCache::instance()->clearCache();
addDataToCache("http://fileserver/file.jpeg",getHeader(),getBodyData(),fixedData.length());
rtFileDownloadRequest* request = new rtFileDownloadRequest("http://fileserver/file.jpeg",this);
expectedStatusCode = 0;
expectedCachePresence = true;
expectedHttpCode = 200;
rtFileDownloader::instance()->downloadFile(request);
char *data = new char [1000];
size_t size = 0;
memset (data, 0, 1000);
request->downloadedData(data, size);
//since the data would have been consumed by callback
EXPECT_TRUE (size == 0);
delete[] data;
sem_wait(testSem);
}

void addToDownloadQueueTest()
{
rtFileCache::instance()->clearCache();
Expand Down Expand Up @@ -1261,7 +1242,6 @@ TEST_F(rtFileDownloaderTest, checkCacheTests)
setCallbackFunctionNullTest();
setCallbackDataTest();
setDownloadHandleExpiresTimeTest();
downloadedDataTest();
addToDownloadQueueTest();
setCallbackFunctionNullInDownloadFileTest();
setDefaultCallbackFunctionNullTest();
Expand Down

0 comments on commit e5551af

Please sign in to comment.